Google reported that one of their security engineers discovered an overflow bug in the GNU C Library (Glibc) which could be used to remotely execute code and cause a stack buffer overflow condition. A patch for the bug has now been released by Google and Red Hat.
In a post on their Security Blog published on Feb. 16, Google stated that their engineer was able to create a fully working exploit using the Glibc bug. The Glibc library is GNU Project’s implementation of the C standard library; thus, it defines the basic facilities many Linux distributions that C programs use to interact with the OS.
Although most Linux operating systems are protected from buffer overflow attacks through Address Space Layout Randomization (ASLR), the newly found bug allowed hackers to attack Linux machines through “attacker-controlled domain names, attacker-controlled DNS servers, or through a man-in-the-middle attack”.
Google refused to release the code they used to test the bug so that they cannot be used for the malicious or criminal purpose, but they have released a proof of concept code to show users that Glibc is vulnerable.
The glibc DNS client side resolver is vulnerable to a stack-based buffer overflow when the getaddrinfo() library function is used. Software using this function may be exploited with attacker-controlled domain names, attacker-controlled DNS servers, or through a man-in-the-middle attack.
Most of the time serious security vulnerabilities like this one are not publicly disclosed until a patch can be released in order to limit the risk of endangering, even more, customers. The only exception to this rule is when the maintainers of the dangerous software are unresponsive and refuse to fix the problem.
While investigating the bug, Google engineers found out that Glibc maintainers have been aware of the bug since at least July 2015 although the bug had not been fixed. Google worked with two Red Hat developers who were already trying to create a solution for the bug and released a patch for it when it publicly announced they had found the bug.
All Glibc libraries after the 2.9 release are affected by this issue although Google recommends updating older versions as well. They also offer suggestions for some other mitigating methods users can use if they cannot apply the patch at the moment.
News about this bug comes less than two weeks before one of the largest security conferences in the US, the RSA security conference, is set to take place in San Francisco and Google’s announcement might also have been timed to draw attention to other possible security threats of this kind.